He found that PayPal is using the Actuate Iportal Application (a third party app) to display customer reports, so Nir downloaded the trial version of this app for testing purpose from its official website.

After going deeply through the source code of trial version, Nir located a file named getfolderitems.do that allowed him to access user's data without credentials.

Nir found that, Getfolderitems.do file having an ID parameter of 7-8 numeric characters which can be manipulated get the secret token id of respective user with same ID. i.e getfolderitems.do?id=392302.

After getting the secret token ID of victim's account, he use the folder parameter i.e getfolderitems.do?folder=/users/secretokenidoftheuser to access victim's private data, because Paypal blocked access to the users folder directly without token i.e getfolderitems.do?folder=/users/.

i.e URL : https://business.paypal.com/acweb/getfolderitems.do?folder=/users/tokenidofthevictim/ , where tokenidofthevictim is the secret token of the victim.

This flaw that has been exploited for demo purpose only, is now fixed by Security team of Paypal.